-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT* Summary CS-95:02
September 26, 1995
Last Revised: October 2, 1997
Updated copyright statement
The CERT Coordination Center periodically issues the CERT Summary to draw
attention to the types of attacks currently being reported to our incident
response staff. The summary includes pointers to sources of information for
dealing with the problems. Starting with this summary, we will also list new
or updated files that are available for anonymous FTP from ftp://info.cert.org
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
Since the July CERT Summary, we have seen these continuing trends in incidents
reported to us:
1. Sendmail Attacks
We receive several reports each week of attacks through sendmail, with
intruders using a variety of techniques. Most of the attacks are aimed at
gaining privileged access to the victim machine.
To combat these threats, we encourage sites to take the appropriate steps
outlined in the following:
ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
A number of sites have reported some confusion on the need to continue using
the sendmail restricted shell program (smrsh). You need to run the smrsh tool
in conjunction with the most recently patched version of sendmail for your
system.
Information on the smrsh tool can be obtained from these places in
ftp://info.cert.org/pub/
tools/sendmail/smrsh/
cert_advisories/CA-93:16.sendmail.vulnerability
cert_advisories/CA-93:16a.sendmail.vulnerability.supplement
cert_advisories/CA-95:11.sun.sendmail-oR.vul
The smrsh program can be obtained from
ftp://info.cert.org/pub/tools/smrsh/
It is included in the sendmail 8.7 distribution.
2. Network Scanning
Several incidents have recently been reported in which intruders scan a large
address range using the Internet Security Scanner (ISS). As described in CERT
advisory CA-93:14, this tool interrogates all computers within a specified IP
address range, determining the security posture of each with respect to
several common system vulnerabilities.
Intruders have used the information gathered from these scans to compromise
sites. We are aware of many systems that have suffered a root compromise as a
result of information intruders obtained from ISS scans.
You may wish to run ISS against your own site in accordance with your
organization's policies and procedures. ISS is available from
ftp://info.cert.org/pub/tools/iss/iss13.tar
We encourage you to take relevant steps outlined in these documents:
ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
ftp://info.cert.org/pub/tech_tips/packet_filtering
3. Exploitation of rlogin and rsh
We have received some reports about the continued exploitation of a
vulnerability in rlogin and rsh affecting IBM AIX 3 systems and Linux systems.
This is not a new vulnerability, but it continues to exist. Sites have
reported encountering some Linux distributions that contain this
vulnerability.
Information on this vulnerability and available solutions can be
obtained from
ftp://info.cert.org/pub/cert_advisories/CA-94:09.bin.login.vulnerability
4. Packet Sniffers
We continue to receive new incident reports daily about sniffers on
compromised hosts. These sniffers, used to collect account names and
passwords, are frequently installed using a kit. In some cases, the packet
sniffer was found to have been running for months. Occasionally, sites had
been explicitly warned of the possibility of such a compromise, but the
sniffer activity continued because the site did not address the problem in the
comprehensive manner that we suggest in our security documents.
Further information on packet sniffers is available from
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
Information about detecting sniffers using cpm is included in the advisory.
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since June 1, 1995.
* New Additions:
ftp://info.cert.org/pub/
incident.reporting.form (the form you should fill out when
reporting an incident to our staff)
ftp://info.cert.org/pub/cert_advisories/
CA-95:08.sendmail.v.5.vulnerability
CA-95:09.Solaris.ps.vul
CA-95:10.ghostscript
CA-95:11.sun.sendmail-oR.vul
ftp://info.cert.org/pub/cert_bulletins/
VB-95:05.osf (OSF/DCE security hole)
VB-95:06.cisco (vulnerability in Cisco's IOS software)
ftp://info.cert.org/pub/tech_tips/
AUSCERT_checklist_1.0 (UNIX checklist developed by the Australian
Emergency Response Team)
* Updated Files
ftp://info.cert.org/pub/cert_advisories/
CA-93:14 (Internet Security Scanner)
CA-94:01 (network monitoring)
CA-94:02 (SunOS rpc mountd vulnerability)
CA-94:05 (md5)
CA-94:11 (majordomo)
CA-95:01 (IP spoofing and hijacked terminal connections)
CA-95:02 (binmail vulnerabilities)
CA-95:05 (sendmail - several vulnerabilities)
CA-95:08 (sendmail version 5 and IDA sendmail)
CA-95:09 (Solaris ps)
CA-95:11 (Sun sendmail -oR vulnerability)
We have begun adding a note reminding readers to check with vendors
for current checksum values. After we publish checksums in advisories,
files and checksums are sometimes updated at individual locations.
* Other Changes:
As we will no longer be keeping the lsof directory current, the directory and
its files have been removed from our FTP site. The current version of lsof is
available from
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
To be added to our mailing list for CERT advisories
and bulletins, send your email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise that the email be encrypted.
We can support a shared DES key, PGP, or PEM (contact CERT staff for details).
Location of CERT PGP key
ftp://info.cert.org/pub/CERT.PGP_key
- ------------------------------------------------------------------------------
Copyright 1995 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History:
Oct 02, 1997 Updated copyright history
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNDgCuHVP+x0t4w7BAQGMcAP+OswGdhbPvQbVOxRqvvPqn1pjXY6ntK75
agG+2ugUV4S0UK6dpiwKZq+RilJk8e0Y6GIF7OFjC8bBrc3kcIII173YDZrPSFT0
fIe+rcmA4c8LyvkW29a09oBHWp0NG1AHxKTm4DaMprbASLMf2BsRZ0doIPSoSO/v
BWCwrgMDnRY=
=ZCZn
-----END PGP SIGNATURE-----